HIPAA Compliance Audits: The Future Is MurkyOCR Official Avoids Spelling Out Plans for the Program
Will the Department of Health and Human Services under the Trump administration create a permanent HIPAA compliance audit program, as the Obama administration intended to do?
And in the short run, will HHS' Office for Civil Rights move forward soon with plans to conduct on-site audits as part of the ongoing phase two HIPAA compliance audit program that kicked off last year?
See Also: HIPAA Audits: A Revised Game Plan
Based on comments from an OCR official at a conference on Wednesday, the answers to those questions remain far from clear.
When pressed by an attendee at the HIPAA conference co-sponsored by OCR about the future of a permanent audit program or immediate plans for onsite audits related to phase two audits, Linda Sanches, an OCR senior adviser, said she didn't have any information to share about the status of either.
"I did not mean that the goal of the program was to make it permanent. The goal is to help people with compliance," she said.
"So if it is not going to be permanent, is this the end of it?" the audience member asked.
"This is not the end of it. I cannot really say what the long-term structure will look like," Sanches replied.
"What is coming after phase two audit?" the audience member then asked.
"That is a very good question. I know the goals are for on-site audits. I believe that is what will come next."
Originally, phase two's remote "desk audits" were to be followed by an undisclosed number of on-site audits of randomly chosen covered entities and business associates in the first quarter of 2017.
However, earlier this year, an OCR official acknowledged that the onsite audits might not start until 2018 to allow time for the Trump administration's HHS Secretary Tom Price to provide input into how the onsite audits should be conducted.
On day two of the 10th Annual HIPAA Compliance Conference co-sponsored by OCR and the National Institute of Standards and Technology, Sanches said OCR has completed its preliminary analysis of findings from 166 remote "desk" compliance audits of covered entities and is currently conducting desk audits of 41 business associates.
"The point of the audit program was never for it to be a strong enforcement methodology," Sanches said. The audit program underway "has been designed to help you all in compliance and support your compliance work. We were hoping to identify best practices out there in the industry that we were not aware of - maybe uncover risks and vulnerabilities we were not aware of given that most of our work comes from breach notifications we see ... receiving complaints. ... This is not intended to be a punitive program. We do have a separate authority; if [we] saw something alarming or significant noncompliance, we could refer over to the enforcement arm where they could open a compliance review."
Of the covered entities audited in phase two, most were smaller providers or health plans, Sanches says. Some 103 were assessed for compliance with selected provisions of the HIPAA privacy and breach notification rules, and the rest were evaluated for their compliance with certain provisions of the HIPAA Security Rule, she notes.
The business associates were audited for compliance with provisions of the HIPAA security and breach notification rules.
The CEs and BAs audited in phase two are being rated on a 1 to 5 scale for their compliance with specific HIPAA rule provisions. The rating was based "from the documentation, how well we thought they were doing," Sanches says.
So far, the audits show compliance weaknesses similar to what OCR found in its first round of audits in 2011 and 2012, Sanches said, including shortcomings with HIPAA security risk analyses.
"Many people are not conducting risk analyses or documenting risk analysis," she said. "They are making efforts to do so."
Inadequate documenation, she said, means that "often it would not be clear that it was conducted or conducted regularly. There might be a form that was provided some years earlier but not filled out or just filled out once. Sometimes there would be a listing of risks but not a reading of potential harm from some of these threats and vulnerabilities. ... There is a lot of room here for growth."
OCR's original stated plans under the Obama administration were to complete a total of about 250 desk and on-site audits in phase two. In a pilot program, or phase one, conducted in 2011 and 2012, OCR conducted 115 onsite audits.
In April 2016, OCR issued an updated protocol for phase two, reflecting the HIPAA Omnibus Rule, which went into effect in 2013.
The revamped audit protocol built upon an earlier protocol OCR released in 2012 when it launched its pilot phase of HIPAA audits that scrutinized covered entities, and not business associates, for compliance with the HIPAA privacy, security and breach notification rules (see OCR Releases New HIPAA Audit Protocol).
Phase two of the audit program is also scrutinizing business associates, who became directly liable for HIPAA compliance under the HIPAA Omnibus Rule.